b"        OFFICE OF INSPECTOR GENERAL\n\n                                   Catalyst for Improving the Environment\n\n\n\nBriefing Report\n\n\n\n\n         EPA Needs to Determine What Barriers\n         Prevent Water Systems from Securing\n         Known Supervisory Control and Data\n         Acquisition (SCADA) Vulnerabilities\n\n         Report No. 2005-P-00002\n\n\n         January 6, 2005\n\x0cReport Contributors:                     Michael Loughnane\n                                         Ricardo Martinez\n                                         Erin Mastrangelo\n                                         Andrew McLaughlin\n\n\n\n\nAbbreviations\n\nEPA          Environmental Protection Agency\nORD          Office of Research and Development\nOW           Office of Water\nSCADA        Supervisory Control and Data Acquisition\n\x0c                        U.S. Environmental Protection Agency                                              2005-P-00002\n                                                                                                        January 6, 2005\n                        Office of Inspector General\n\n\n                        At a Glance\n                                                                         Catalyst for Improving the Environment\n\n\nWhy We Did This Review             EPA Needs to Determine What Barriers Prevent\nFederal Directives highlighted     Water Systems from Securing Known Supervisory\nthe need to secure cyberspace,     Control and Data Acquisition (SCADA) Vulnerabilities\nincluding SCADA, from\nterrorists and other malicious         What We Found\nactors, and stated that securing\nSCADA is a national priority.\nWe learned from stakeholder        SCADA networks were developed with little attention paid to security. As a\ncontacts that utilities may        result, many SCADA networks may be susceptible to attacks and misuses.\nrequire assistance in order to     Furthermore, studies indicated that some water utilities may have spent little time\nsecure their SCADA system          and money securing their SCADA systems.\nvulnerabilities.\n                                   Some areas and examples of possible SCADA vulnerabilities include operator\n                                   errors and corruption, unsecured electronic communications, hardware and\n                                   software limitations, physical security weaknesses, natural disasters, poorly\nBackground                         written software, and poor security administration. Vulnerabilities may allow a\n                                   person of malicious intent to cause significant harm. For example, in 2000, an\nSCADA is a technology that         engineer used radio telemetry to gain unauthorized access into an Australian\nallows a user to collect data      waste management system and dump raw sewage into public areas. In another\nfrom sensors and control           example, a contractor conducting a utility water assessment stated that he was\nequipment, such as pumps and       able to access the utility\xe2\x80\x99s network from a remote location within minutes and\nvalves, from a remote              could have caused significant harm.\nlocation. SCADA is\ncommonly used in many              Through preliminary research, we found several possible reasons why utilities\nindustries, including water        have not successfully reduced or mitigated identified vulnerabilities. It is\nutility operations.                important to note that this list is not in any way expected to be exhaustive of what\n                                   a full study may reveal. Specifically:\nWe suspended our SCADA\nproject because EPA agreed to      \xe2\x80\xa2   Current technological limitations may impede implementing security measures.\nincorporate our concerns into      \xe2\x80\xa2   Companies may not be able to afford or justify the required investment.\nan Agency SCADA project.           \xe2\x80\xa2   Utilities may not be able to conduct background checks on existing employees.\nAt EPA\xe2\x80\x99s request, we briefed       \xe2\x80\xa2   Officials may not permit SCADA penetration testing.\nthe Agency on our preliminary      \xe2\x80\xa2   Technical engineers may have difficulty communicating security needs to\nresearch and prepared this             management.\nbriefing report.\n                                   To better enable water systems to secure their SCADA systems, we suggest that\n                                   EPA identify impediments preventing water systems from successfully reducing\nFor further information,           or mitigating SCADA vulnerabilities, and take steps to reduce those impediments.\ncontact our Office of              If EPA identifies a problem with no apparent solution, the Agency should\nCongressional and Public           communicate this problem to the Department of Homeland Security, Congress,\nLiaison at (202) 566-2391.         and others as appropriate. We also suggest that EPA develop SCADA security\n                                   measures to track the effectiveness of security efforts.\nTo view the full report,\nclick on the following link:\n\nwww.epa.gov/oig/reports/2005/\n20050106-2005-P-00002.pdf\n\x0c\x0c                              UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                           W ASHINGT ON, D.C. 20460\n\n\n                                                                                                          OFFICE OF\n                                                                                                  IN S P E C T O R G E N E R A L\n\n\n\n\n                                                 January 6, 2005\n\nMEMORANDUM\n\nSUBJECT:                   Final Briefing Report:\n                           EPA Needs to Determine What Barriers Prevent Water\n                           Systems from Securing Known Supervisory Control and Data\n                           Acquisition (SCADA) Vulnerabilities\n\nFROM:                      Jeffrey K. Harris /s/\n                           Director for Program Evaluation, Cross-Media Issues\n\nTO:                        Lek Kadeli\n                           Acting Deputy Assistant Administrator for Management for Research and\n                           Development\n\n                           Benjamin Grumbles\n                           Assistant Administrator for Water\n\n\nAs part of our ongoing evaluation of the Environmental Protection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s) activities\nto enhance the security of the Nation\xe2\x80\x99s water supply, we planned on conducting an evaluation of\nimpediments to securing water Supervisory Control and Data Acquisition (SCADA) systems.\nSpecifically, we planned to research what barriers, if any, impede water systems from securing\nSCADA weaknesses identified in their vulnerability assessments prepared under the Public\nHealth Security and Bioterrorism Preparedness and Response Act of 2002 (P.L. 107-188; June\n12, 2002) or by other means. Understanding impediments may better enable EPA to\nappropriately consider and plan for water systems\xe2\x80\x99 SCADA security needs.\n\nMany infrastructures and industries use computer-based systems to remotely control sensitive\nprocesses and physical functions previously controlled manually. These systems, commonly\nknown as SCADA1, allow a water utility to collect data from sensors and control equipment\nlocated at remote sites. Common water system sensors measure elements such as fluid level,\ntemperature, pressure, water purity, water clarity, and pipeline flow rates. Common water system\nequipment includes valves, pumps, and mixers for mixing chemicals into the water supply.\n\n\n\n       1\n           SCA DA systems are also som etimes referred to as Digital Contro l Systems or Process Control Systems.\n\n                                                          1\n\x0cAt EPA\xe2\x80\x99s request, we suspended our SCADA project because EPA has agreed to incorporate our\nquestions into their planned work. On September 30, 2002, EPA awarded the Water\nEnvironment Research Foundation2 a cooperative agreement to support their water security\nresearch efforts. The $2.1 million agreement partially funded various research projects, including\n$250,000 to partially fund research in Security Measures for Computerized and Automated\nSystems. On September 8, 2004, the Water Environment Research Foundation awarded EMA,\nInc.3, a $294,748 contract to conduct the SCADA research project titled \xe2\x80\x9cSecurity Measures for\nComputerized and Automated Systems.\xe2\x80\x9d EPA participates on the project steering committee,\nand requested that we elaborate on our preliminary research4 and share SCADA information and\nconcerns that we observed. In response, on November 16, 2004, we convened a meeting with\nofficials from the Office of Water and Office of Research and Development, and agreed to\ncompile the attached briefing. The OIG presentation slides used for the meeting are included in\nAppendix A.\n\nWe planned the SCADA evaluation because, during our preliminary research, we learned that\nutilities may require assistance in order to secure their SCADA systems. We based our\nobservations on information obtained from our interviews with water utility officials, contractors,\nother infrastructure SCADA security persons, the Department of Homeland Security, Sandia\nNational Laboratories, and EPA representatives; attendance at stakeholder and national water\nconference meetings; and a review of vulnerability assessment tools, methodologies, and related\ndocuments. We conducted our work between May 24, 2004, and September 28, 2004, in\naccordance with Government Auditing Standards issued by the Comptroller General of the\nUnited States.\n\nFederal Directives Highlight Need to Secure SCADA\n\nIn recent years, various official sources have addressed the importance of securing cyberspace,\nincluding SCADA.\n\nPresidential Directives: Presidential Decision Directive 62, issued in 1998, noted that the\nNation's critical infrastructure relies heavily on the use of computers with cyber vulnerabilities\nthat terrorists or criminals may use to commit attacks. Presidential Decision Directive 63, also\nissued in 1998, addressed the need to protect the Nation\xe2\x80\x99s critical infrastructures against criminal\nand terrorist attacks, and designated EPA the lead Federal agency for helping to secure water\ninfrastructure. It also stated that advances in information technology and the necessity of\nimproved efficiency have resulted in increasingly automated and interlinked infrastructures, and\ncreated new vulnerabilities to equipment failure, human error, weather and other natural causes,\n\n\n         2\n           The Water Environment Research Foundation is a nonprofit corporation with its principal place of\nbusiness located in Alexandria, VA.\n\n         3\n             EMA, Inc., is a for profit organization with its principal place of business located in St. Paul, MN.\n\n         4\n            The EP A O ffice of Insp ector General conducted preliminary research evaluating water system se curity\nactivities in suppo rt of the A gency\xe2\x80\x99s Septemb er 20 02 S trategic P lan for H ome land S ecurity. EPA \xe2\x80\x99s Homeland\nSecurity Strategy was subsequently updated on October 5, 2004.\n\n                                                             2\n\x0cand physical and cyber attacks. It challenged the Nation to \xe2\x80\x9cswiftly eliminate any significant\nvulnerability to both physical and cyber attacks on our critical infrastructures, including specially\nour cyber systems.\xe2\x80\x9d In December 2003, Homeland Security Presidential Directive 7 confirmed\nEPA\xe2\x80\x99s role as the lead agency for identifying, prioritizing, and coordinating the protection of\ncritical infrastructure and key resources for drinking water and water treatment systems.\n\nNational Strategies: The White House\xe2\x80\x99s July 2002 National Strategy for Homeland Security\nnoted that cyber attacks frequently occur on a local scale, and such attacks can occur on a more\ncatastrophic national scale. The National Strategy further stated that our Nation\xe2\x80\x99s potential\nenemies have the intent, the tools of destruction are broadly available, our systems have well\nknown vulnerabilities, and that a single act could inflict damage in multiple locations without the\nattacker ever physically entering the United States. The February 2003 National Strategy to\nSecure Cyberspace5 included five priorities. The second priority, titled \xe2\x80\x9cA National Cyberspace\nSecurity Threat and Vulnerability Reduction Program,\xe2\x80\x9d addressed SCADA security issues and\nstated that securing SCADA is a national priority.\n\nThe Bioterrorism Act: The Public Health Security and Bioterrorism Preparedness and Response\nAct of 2002 (P.L. 107-188) requires utilities serving a population greater than 3,300 persons to\nconduct vulnerability assessments and to prepare emergency response plans. The Act required\nvulnerability assessments to include a review of automated systems. EPA awarded $51 million\nin grants to help large utilities prepare vulnerability assessments required under the Bioterrorism\nAct. EPA stores copies of these assessments in a secure area. Within six months of completing\ntheir assessments, water systems must certify to EPA that they completed their emergency\nresponse plans. However, the Act did not require utilities to submit copies of their plans to EPA.\n\nSCADA Vulnerabilities Are Many\n\nSCADA networks developed with little attention paid to security, making the security of these\nsystems often weak. Studies have found that, while technological advancements introduced\nvulnerabilities, many water utilities have spent little time securing their SCADA networks. As a\nresult, many SCADA networks may be susceptible to attacks and misuse.\n\nRemote monitoring and supervisory control of processes begun to develop in the early 1960s,\nand adopted many technological advancements. The advent of minicomputers made it possible\nto automate a vast number of once manually-operated switches. Advancements in radio\ntechnology reduced the communication costs associated with installing and maintaining buried\ncable in remote areas. SCADA systems continued to adopt new communication methods\nincluding satellite and cellular. As the price of computers and communications dropped, it\nbecame economically feasible to distribute operations and to expand SCADA networks to\ninclude even smaller facilities.\n\nAdvances in information technology and the necessity of improved efficiency have resulted in\nincreasingly automated and interlinked infrastructures, and created new vulnerabilities due to\n\n        5\n         Cyberspace is composed of computer systems and their interconnections (source: The W hite House, \xe2\x80\x9cThe\nNational Strategy to Secure Cyberspace,\xe2\x80\x9d 20 03, executive summary, p. vii).\n\n                                                       3\n\x0cequipment failure, human error, weather and other natural causes, and physical and cyber attacks.\nSome areas and examples of possible SCADA vulnerabilities include:\n\n\xe2\x80\xa2   Human - People can be tricked or corrupted, and may commit errors.\n\xe2\x80\xa2   Communications - Message can be fabricated, intercepted, changed, deleted, or blocked.\n\xe2\x80\xa2   Hardware - Security features are not easily adapted to small self-contained units with limited\n    power supplies.\n\xe2\x80\xa2   Physical - Intruders can break into a facility to steal or damage SCADA equipment.\n\xe2\x80\xa2   Natural - Tornados, floods, earthquakes, and other natural disasters can damage equipment\n    and connections.\n\xe2\x80\xa2   Software - Programs can be poorly written.\n\nA study published May 1998 included a survey6 that found that many water utilities were doing\nlittle to secure their SCADA network vulnerabilities. For example, many respondents reported\nthat they had remote access, which can allow an unauthorized person to access the system\nwithout being physically present. More than 60 percent of the respondents believed that their\nsystems were not safe from unauthorized access and use. Twenty percent of the respondents\neven reported known attempts, successful unauthorized access, or use of their system. Yet 22 of\n43 respondents reported that they do not spend any time ensuring their network is safe and 18 of\n43 respondents reported that they spend less than 10 percent ensuring network safety.\n\nSCADA system computers and their connections are susceptible to different types of information\nsystem attacks and misuse such as system penetration and unauthorized access to information.\nThe Computer Security Institute and Federal Bureau of Investigation conduct an annual\nComputer Crime and Security Survey7. The 2004 survey reported on 10 types of attacks or\nmisuse, and reported that virus and denial of service had the greatest negative economic impact.\nThe same study also found that 15 percent of the respondents reported abuse of wireless\nnetworks, which can be a SCADA component. On average, respondents from all sectors did not\nbelieve that their organization invested enough in security awareness. Utilities as a group\nreported a lower average computer security expenditure/investment per employee than many\nother sectors such as transportation, telecommunications, and financial.\n\nSandia National Laboratories\xe2\x80\x99 Common Vulnerabilities in Critical Infrastructure Control\nSystems8 described some of the common problems it has identified in the following five\ncategories:\n\n\n\n\n         6\n           The survey was part of a thesis presented to the Faculty of the School of Engineering and Applied Science\nat the U niversity of Virginia: Eze ll, Captain Barry C., \xe2\x80\x9cRisks of Cyber Attack to Supervisory Contro l and D ata\nAcquisition for Water Supply (May 1998).\xe2\x80\x9d\n\n         7\n          Comp uter Crime Institute and Federal Bureau of Investigations, \xe2\x80\x9cNinth Annual Computer Crime and\nSecurity Survey\xe2\x80\x9d (2004).\n\n         8\n        Stamp, Jason et al., \xe2\x80\x9cCommo n Vulnerabilities in Critical Infrastructure Control Systems (2 nd edition, 22\nMay 2003; revised 11 N ovembe r 2003),\xe2\x80\x9d Sandia N ational Laborato ries.\n\n                                                          4\n\x0c1.   System Data -Important data attributes for security include availability, authenticity,\n     integrity, and confidentiality. Data should be categorized according to its sensitivity, and\n     ownership and responsibility must be assigned. However, SCADA data is often not\n     classified at all, making it difficult to identify where security precautions are appropriate.\n2.   Security Administration -Vulnerabilities emerge because many systems lack a properly\n     structured security policy, equipment and system implementation guides, configuration\n     management, training, and enforcement and compliance auditing.\n3.   Architecture -Many common practices negatively affect SCADA security. For example,\n     while it is convenient to use SCADA capabilities for other purposes such as fire and security\n     systems, these practices create single points of failure. Also, the connection of SCADA\n     networks to other automation systems and business networks introduces multiple entry\n     points for potential adversaries.\n4.   Network (including communication links) - Legacy systems\xe2\x80\x99 hardware and software have\n     very limited security capabilities, and the vulnerabilities of contemporary systems (based on\n     modern information technology) are publicized. Wireless and shared links are susceptible to\n     eavesdropping and data manipulation.\n5.   Platforms - Many platform vulnerabilities exist, including default configurations retained,\n     poor password practices, shared accounts, inadequate protection for hardware, and\n     nonexistent security monitoring controls. In most cases, important security patches are not\n     installed, often due to concern about negatively impacting system operation; in some cases\n     technicians are contractually forbidden from updating systems by their vendor agreements.\n\nThe following two incidents help to illustrate some of the risks associated with SCADA\nvulnerabilities.\n\n\xe2\x80\xa2    In 2000, an engineer used radio telemetry to gain unauthorized access into an Australian\n     waste management system and dump raw sewage into public waterways and the grounds of\n     a hotel. The perpetrator had worked for the contractor that supplied the remote control and\n     telemetry equipment to the waste management system. This incident highlights many\n     SCADA vulnerabilities. It illustrates the human factor of how people may be corrupted, and\n     that the risk extends beyond current employees to outsiders who gain working knowledge\n     system operations. Additionally, it illustrates that an outsider can exploit communications\n     vulnerabilities to hack into a system.\n\n\xe2\x80\xa2    During the course of conducting a vulnerability assessment, a contractor stated that\n     personnel from his company penetrated the information system of a utility within minutes.\n     Contractor personnel drove to a remote substation and noticed a wireless network antenna.\n     Without leaving their vehicle, they plugged in their wireless radios and connected to the\n     network within 5 minutes. Within 20 minutes they had mapped the network, including\n     SCADA equipment, and accessed the business network and data. This illustrates what a\n     cyber security advisor from Sandia National Laboratories specializing in SCADA stated,\n     that utilities are moving to wireless communication without understanding the added risks.\n\n\n\n\n                                                 5\n\x0cEPA Needs to Determine What Barriers Prevent Water Systems from\nSecuring Known Vulnerabilities\n\nEPA agreed to incorporate our SCADA research question into their planned work, and requested\nthat we elaborate on the SCADA security issues we would like covered. Our research question\nwas \xe2\x80\x9cWhat barriers, if any, prevent water systems from securing known SCADA\nvulnerabilities?\xe2\x80\x9d More specifically, our research goals were as follows.\n\nThe first goal was to identify specific SCADA vulnerabilities uncovered by water system\nvulnerability assessments and by other means. Vulnerability assessments stored at EPA may\nidentify a wide array of vulnerabilities, as may other or subsequent assessments maintained by\nthe utilities. Other possible sources of vulnerabilities information include water and SCADA\nexperts from other infrastructures, National Laboratories, the Department of Homeland Security,\nacademia, and contractors. Identified vulnerabilities can be listed, grouped, and analyzed to\ndetermine which are the most critical and most common vulnerabilities identified at water\nsystems.\n\nThe second goal was to determine if vulnerability assessments are being successfully addressed.\nCompleting vulnerability assessments and emergency response plans may not by themselves\nmake water systems safer. Water systems must respond with proper security measures.\nConversations with SCADA water system personnel and contractors may reveal whether water\nsystems have implemented adequate security measures. For example, a contractor stated that\nutility operators may continue using default passwords due to a false sense of security. Utility\nrepresentatives, system integrators, and manufacturers of hardware, software, and firmware may\nreveal whether utilities include security specifications in their procurement requirements. It is\nalso important to determine what steps water systems take to validate the degree to which their\nremedies mitigated the vulnerability.\n\nThe third goal was to determine the reasons behind those instances where utilities cannot\nsuccessfully reduce or mitigate identified vulnerabilities. Securing SCADA has inherent\nobstacles, and water systems may be unable or unwilling to take necessary security measures.\nThe February 2003 National Strategy to Secure Cyberspace stated that securing SCADA is\ncomplicated because companies cannot afford or justify the required investment in systems and\nresearch and development; current technological limitations impede implementing security\nmeasures. This and other obstacles or barriers may impede water systems from successfully\nsecuring their water systems, leaving water systems at risk. For example, some utilities stated\nthat they cannot conduct background checks on existing employees. Another utility\nrepresentative stated that a city manager did not permit SCADA penetration testing. A Sandia\nNational Laboratories representative and a contractor both stated that technical SCADA\nengineers have difficulty communicating security needs to management in a way that will get the\nprojects funded. Another factor may be that water systems with significant investment in\nSCADA equipment and training may hesitate to undertake protection methods that require major\nreplacement. What we found to date is based on preliminary research and is not in any way\nexpected to be exhaustive of what a full study may reveal. EPA may find additional SCADA\nsecurity constraints and may wish to pay particular attention to those that affect the most critical\nor common vulnerabilities.\n\n                                                 6\n\x0cThe fourth goal was to determine what actions EPA can take to help remove impediments to\nwater SCADA security. Possible EPA responses might include technical papers, manuals, a\ntoolbox, new research, investment in new technologies, standards, and alerting other\nstakeholders. By identifying the most significant barriers impeding water systems from securing\ntheir SCADA systems, EPA will be better equipped to plan for and address key problems. EPA\nwill be in a better position to address those problems that delay or preclude water SCADA\nsecurity. This may allow EPA and others to focus limited resources into the areas that will have\nthe greatest water SCADA security impact. Where EPA identifies a problem with no viable,\nlikely, or apparent solution, the Agency should communicate this problem to the Department of\nHomeland Security, Congress, water industry groups, or others as appropriate.\n\nWe Encourage EPA to Develop SCADA Security Measures\n\nWe encourage EPA to look for ways to measure the extent to which water system efforts and\nEPA contributions increase SCADA security. This would entail developing program measures\nand ways to systematically collect information. EPA may be able to learn from the practices of\nothers. For example, the Computer Security Institute joined forces with the San Francisco\nFederal Bureau of Investigation\xe2\x80\x99s Computer Intrusion Squad and developed an annual computer\ncrime and security survey. The survey asks participants to respond anonymously to a series of\nsecurity-related questions, and establishes trends based on the responses. Possible sources of\ninformation include water systems, SCADA system integrators, security component\nmanufacturers, intrusion assessment contractors, etc. Proper measures will allow EPA to better\nensure that resources are allocated appropriately and efficiently, and that the program is\naccomplishing its goals. It will also help EPA to comply with the Government Performance and\nResults Act of 1993 and the President\xe2\x80\x99s Management Agenda, which require EPA to measure the\neffectiveness of its programs.\n\nSuggestions\n\nTo better enable water systems to secure their SCADA systems, we suggest that\n\n1.   EPA identify impediments preventing water systems from successfully reducing or\n     mitigating SCADA vulnerabilities, and take steps to reduce those impediments.\n\n2.   EPA develop SCADA security measures to track the effectiveness of security efforts.\n\nAgency Response\n\nThe EPA Office of Research and Development chose not to provide a formal written response.\nSimilarly the EPA Office of Water chose not to provide written comments, but noted that their\ncurrent activities are addressing the OIG suggestions. We are closing this report upon issuance\nsince it does not contain recommendations.\n\n\n\n\n                                               7\n\x0c\x0c                                                                      Appendix A\n           Environmental Protection Agency\n             Office of Inspector General\n\n                                             Catalyst for Environmental Improvement\n\n\n\n\n    OIG/ORD/OW SCADA Meeting\n\n     Ricardo Martinez, Office of Program Evaluation\n    Michael Loughnane, Computer Crimes Directorate\n                     November 16, 2004\n\n\n1\n\x0c    Environmental Protection Agency\n      Office of Inspector General\n\n                                      Catalyst for Environmental Improvement\n\n\n\n\n                      Agenda\n          1. What is SCADA\n          2. SCADA Vulnerabilities\n          3. Federal Directives\n          4. Current Status\n\n\n2\n\x0c    Environmental Protection Agency\n      Office of Inspector General\n\n                                      Catalyst for Environmental Improvement\n\n\n\n\n                      Agenda\n          1. What is SCADA\n          2. SCADA Vulnerabilities\n          3. Federal Directives\n          4. Current Status\n\n\n3\n\x0c    Environmental Protection Agency\n      Office of Inspector General\n\n\n\n\n      What is SCADA?                          Allows a\n                                            water utility to\n          Computer-based\n                                          \xe2\x80\xa2 Collect data\n        system that remotely\n                                            from sensors\n         controls processes\n             previously                   \xe2\x80\xa2 Control\n        controlled manually.                equipment at\n                                            remote sites\n4                                     Supervisory Control And Data Acquisition System\n\x0c    Environmental Protection Agency\n      Office of Inspector General\n\n\n\n                                                        SCADA allows an Operator\n                                                        using a central computer to\n                                                        supervise (control and monitor)\n                                                        multiple networked computers at\n                                                        remote locations.\n     Multiple\n     Remote\n    Computers\n\n                                                        Each remote computer can control\n                                                        mechanical processes (pumps,\n                                                        valves, etc.) and collect data from\n                                                        sensors at its remote location.\n\n\n                            Pumps, Valves,    Sensors\n                            Actuators, etc.\n                                                        Thus the Phrase: Supervisory\n                                                        Control and Data Acquisition, or\n                                                        SCADA.\n\n5                                                                              SCADA\n\x0c                                                    Environmental Protection Agency\n                                                      Office of Inspector General\n\n\n       Operator       Human /\n                                      Master\n      (Supervisor)   Machine\n                                   Terminal Unit\n                     Interface\n                                      (MTU)           The central computer is called the\n                      (HMI)\n                      Software                        Master Terminal Unit, or MTU.\n                                                      The Operator interfaces with the\n     Multiple                                         MTU using a software called\n    PLCs/RTUs                                         Human Machine Interface, or HMI.\n\n\n\n\n                     Pumps, Valves,       Sensors\n                     Actuators, etc.\n\n\n\n\n6                                                                                 SCADA\n\x0c                                                           Environmental Protection Agency\n                                                             Office of Inspector General\n\n\n       Operator              Human /\n                                             Master\n      (Supervisor)          Machine\n                                          Terminal Unit\n                            Interface\n                                             (MTU)\n                             (HMI)\n                             Software\n\n     Multiple\n    PLCs/RTUs\n\n                     PLC/                     PLC/           The remote computer is called\n                     RTU                      RTU            Program Logic Controller (PLC) or\n                                                             Remote Terminal Unit (RTU)*\n\n\n\n\n                            Pumps, Valves,       Sensors\n                            Actuators, etc.\n\n\n                                                             *There are differences between a PLC and RTU.\n\n\n7                                                                                         SCADA\n\x0c                                                           Environmental Protection Agency\n                                                             Office of Inspector General\n\n\n       Operator              Human /\n                                             Master\n      (Supervisor)          Machine\n                                          Terminal Unit\n                            Interface\n                                             (MTU)\n                             (HMI)\n                             Software\n\n     Multiple\n    PLCs/RTUs\n\n                     PLC/                     PLC/\n                     RTU                      RTU\n\n\n\n                                                             The RTU activates a relay (or\n               Turns\n                                                             switch) that turns mechanical\n               on/off             Relay          Sensors\n             Mechanical                                      equipment \xe2\x80\x9con\xe2\x80\x9d and \xe2\x80\x9coff.\xe2\x80\x9d The\n             Equipment                                       RTU also collects data from\n                                                             sensors.\n\n                            Pumps, Valves,\n                            Actuators, etc.\n8                                                                                        SCADA\n\x0c                                                          Environmental Protection Agency\n                                                            Office of Inspector General\n\n\n       Operator              Human /\n                                             Master         In the early stages utilities ran wires,\n      (Supervisor)          Machine\n                                          Terminal Unit     also known as hardwire or land lines,\n                            Interface\n                                             (MTU)          from the central computer (MTU) to\n                             (HMI)\n                             Software                       the remote computers (RTUs).\n\n     Multiple\n    PLCs/RTUs                                                  Hardwire\n\n\n                                              PLC/       Since remote locations can be located\n                     PLC/                                hundreds of miles from the central\n                     RTU                      RTU\n                                                         location, utilities begun to use public\n                                                         phone lines and modems, leased\n                                                         telephone company lines, and radio &\n                                                         microwave communication. More\n               Turns                                     recently, they have also begun to use\n               on/off             Relay          Sensors satellite links, Internet, & newly\n             Mechanical\n             Equipment\n                                                         developed wireless technologies.\n\n\n                            Pumps, Valves,\n                            Actuators, etc.\n9                                                                                       SCADA\n\x0c                                                           Environmental Protection Agency\n                                                             Office of Inspector General\n\n\n        Operator              Human /\n                                              Master\n       (Supervisor)          Machine                           Business\n                                           Terminal Unit\n                             Interface                         Systems\n                                              (MTU)\n                              (HMI)\n                              Software\n\n      Multiple\n     PLCs/RTUs\n                                                          Since the SCADA systems\xe2\x80\x99 Sensors\n                                               PLC/       provided valuable information,\n                      PLC/\n                                               RTU        many utilities established\n                      RTU\n                                                          \xe2\x80\x9cconnections\xe2\x80\x9d between their\n                                                          SCADA systems and their business\n                                                          system. This allowed Utility\n                                                          management and other staff access\n                Turns\n                                                          to valuable statistics, such as water\n                on/off             Relay          Sensors usage.\n              Mechanical\n              Equipment\n\n\n                             Pumps, Valves,\n                             Actuators, etc.\n10                                                                                       SCADA\n\x0c                                                            Environmental Protection Agency\n                                                              Office of Inspector General\n\n\n        Operator              Human /\n                                              Master\n       (Supervisor)          Machine                            Business               Internet\n                                           Terminal Unit\n                             Interface                          Systems\n                                              (MTU)\n                              (HMI)\n                              Software\n\n      Multiple\n     PLCs/RTUs\n                                                              When utilities later connected their\n                                               PLC/           systems to the Internet, they were\n                      PLC/\n                                               RTU            able to provide stakeholders with\n                      RTU\n                                                              water statistics on the Utility web\n                                                              pages.\n\n\n                Turns\n                on/off             Relay          Sensors\n              Mechanical\n              Equipment\n\n\n                             Pumps, Valves,\n                             Actuators, etc.\n11                                                                                        SCADA\n\x0c                                                                  Environmental Protection Agency\n                                                                    Office of Inspector General\n\n\n       Operator          Human /\n                                           Master\n     (Supervisor)       Machine\n                                        Terminal Unit\n                                                                         Business                   Internet\n                        Interface                                        Systems\n                         (HMI)             (MTU)                                       Firewall\n                       Software                                             Corporate Offices\n         Main SCADA Control Center\n\n\n\n\n     Remote\n                    PLC/\n     Location       RTU                 Physical Security\n                                                                                   To other Remote\n                                        System\n                                                                                 Locations/substations\n\n      Sensors                             Turns\n                            Relay        on/Off\n                                        Mechanical\n                                        Equipment\n\n                Pumps, Valves, Actuators, etc.                Representative SCADA network\n12                                                          Supervisory Control And Data Acquisition System\n\x0c                                                                  Environmental Protection Agency\n                                                                    Office of Inspector General\n\n\n       Operator          Human /\n                                           Master\n     (Supervisor)       Machine\n                                        Terminal Unit\n                                                                         Business                   Internet\n                        Interface                                        Systems\n                         (HMI)             (MTU)                                       Firewall\n                       Software                                            Corporate Offices\n Main SCADA Control Center\n\n\n                                                            SCADA systems have many areas\n                                                              where security is a concern.\n\n\n     Remote\n                    PLC/\n     Location       RTU                 Physical Security\n                                                                                   To other Remote\n                                        System\n                                                                                 Locations/substations\n\n      Sensors                             Turns\n                            Relay        on/Off\n                                        Mechanical\n                                        Equipment\n\n                Pumps, Valves, Actuators, etc.                Representative SCADA network\n13                                                          Supervisory Control And Data Acquisition System\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n                                       Catalyst for Environmental Improvement\n\n\n\n\n                       Agenda\n           1. What is SCADA\n           2. SCADA Vulnerabilities\n           3. Federal Directives\n           4. Current Status\n\n\n14\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n                                       Vulnerabilities\n     \xe2\x80\xa2 Physical\n          Example-Intruders can break into your facilities to steal or damage SCADA\n          equipment.\n     \xe2\x80\xa2 Natural\n          Example-Tornados, floods, earthquakes, and other natural disasters can\n          damage equipment or connections.\n     \xe2\x80\xa2 Hardware\n          Example-Security features are not easily adapted to small self-contained\n          units with limited power supplies.\n     \xe2\x80\xa2 Software\n          Example-Programs can be poorly written.\n     \xe2\x80\xa2 Communications\n          Example-Message can be fabricated, intercepted, changed, or deleted/blocked.\n\n     \xe2\x80\xa2 Human\n         Example-People can be tricked or corrupted, and may commit errors.\n15\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n\n                                       Described common\n                                       problems identified in\n                                       5 categories:\n\n                                       1. Data\n                                       2. Security Administration\n                                       3. Architecture\n                                       4. Network\n                                       5. Platforms\n\n\n\n16\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n\n                     Pre-9/11 Baseline Condition\n             per a study published 1998, approximately:\n     \xe2\x80\xa2 60% reported their SCADA system could be remotely\n       accessed and controlled.\n     \xe2\x80\xa2 60% reported their systems not safe from unauthorized\n       access or use.\n     \xe2\x80\xa2 20% reported known attempts.\n     \xe2\x80\xa2 50% reported not spending any time ensuring their\n       network is safe.\n     \xe2\x80\xa2 40% reported they spend less than 10% of their time\n       ensuring network safety.\n17\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n          Current Survey               On average, respondents from all\n                                       sectors did not believe that their\n                                       organization invested enough in\n                                             security awareness.\n\n\n                                         Utilities as a group reported a\n                                       lower average computer security\n                                          expenditure/investment per\n                                           employee than many other\n                                         sectors such as transportation,\n                                            telecommunications, and\n                                                    financial.\n\n\n18\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n          Current Survey               The survey also found:\n\n                                       \xe2\x80\xa2 Of 10 types of attacks\n                                         or misuse, virus and\n                                         denial of service had the\n                                         greatest negative\n                                         economic impact\n\n                                       \xe2\x80\xa2 15% reported abuse of\n                                         wireless networks\n\n\n19\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n\n         Two SCADA Risk Illustrations\n\n     \xe2\x80\xa2 Australian waste management system\n            Engineer used unauthorized access to dump raw sewage.\n\n\n     \xe2\x80\xa2 Utility vulnerability assessment\n            Contractor penetrated a utility information system from a\n            remote substation within minutes.\n\n\n20\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n                                       Catalyst for Environmental Improvement\n\n\n\n\n                       Agenda\n           1. What is SCADA\n           2. SCADA Vulnerabilities\n           3. Federal Directives\n           4. Current Status\n\n\n21\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n\n                     Federal Directives\n       \xe2\x80\xa2 PDD 62, issued May 1998\n\n       \xe2\x80\xa2 PDD 63, issued May 1998\n\n       \xe2\x80\xa2 The National Strategy for\n         Homeland Security, July 2002\n\n       \xe2\x80\xa2 The National Strategy to Secure\n         Cyberspace, Feb 2003\n22\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n\n     PDD 62, issued May 1998, noted that,\n         the Nation's critical infrastructure\n         relies heavily on the use of computers\n         with cyber vulnerabilities\n         that terrorists may exploit\n         to commit attacks.\n\n\n23\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n\n      PDD 63, issued May 1998, noted that,\n     Information technology advances have:\n           \xe2\x80\xa2 Improved efficiency\n           \xe2\x80\xa2 Increasingly automated and interlinked\n             infrastructures\n           \xe2\x80\xa2 Created new vulnerabilities\n\n\n\n     Equipment Failure            Human Error   Natural causes    Physical or\n                                                                 Cyber attacks\n24\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n\n                      PDD 63, issued May 1998,\n     Named EPA as the water infrastructure lead tasked\n     with forming a private-public partnership to:\n        \xe2\x80\xa2 swiftly eliminate significant vulnerabilities,\n          \xe2\x80\x9cincluding specially our cyber systems.\xe2\x80\x9d    (See Section II)\n\n\n\n\n        \xe2\x80\xa2 encourage utilities to provide maximum\n          feasible infrastructure security & information\n          so the government can assist them.\n\n25\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n The National Strategy for Homeland Security stated, (p.34)\n                                       \xe2\x80\xa2 Cyber attacks are happening frequently\n                                       on a local scale\n\n                                       \xe2\x80\xa2 It can occur on a broader or even\n                                       national scale (catastrophic)\n\n                                       \xe2\x80\xa2 Our potential enemies have the intent\n\n                                       \xe2\x80\xa2 the tools of destruction are broadly\n                                       available\n\n                                       \xe2\x80\xa2 Our systems have many well-known\n                                       vulnerabilities\n\n                                       \xe2\x80\xa2 a single act can inflict damage in\n                                       multiple locations simultaneously without\n                                       the attacker ever having physically\n                                       entered the United States\n26\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n\n                                       EPA\xe2\x80\x99s role is crucial in making sure that\n                                       the water sector\xe2\x80\x99s security challenges are\n                                       not overlooked.\n\n\n\n         The National Strategy for Homeland security stated,\n         \xe2\x80\xa2 DHS depends on federal agencies to address a sector\xe2\x80\x99s\n           unique infrastructure challenges. (p31d)\n         \xe2\x80\xa2 Government must help enable the private sector\xe2\x80\x99s ability to\n           carry out its protection responsibilities. (p33b)\n27\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n\n                                          The National\n                                       Strategy to Secure\n                                          Cyberspace\n\n                                           Feb. 2003\n\n\n\n28\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n\n       Under Priority #2 - A National Cyberspace security Threat and\n       Vulnerability Reduction Program:\n         Page 32\n         Securing SCADA is a national Priority but complicated\n           because:\n         \xe2\x80\xa2 It requires investment in systems and R&D that companies\n           cannot afford or justify on their own.\n         \xe2\x80\xa2 Current technological limitations could impede the\n           implementation of security measures.\n              e.g.-Security features may not be easily adapted, and could also impact the\n              systems\xe2\x80\x99 performance/synchronization.\n\n\n29\n\x0c      Environmental Protection Agency\n        Office of Inspector General\n\n\n\n     Page ix\n                  A government role is warranted:\n\n     \xe2\x80\xa2 When high transaction costs or legal barriers lead\n       to significant coordination problems.\n\n     \xe2\x80\xa2 When there is an absence of private sector forces.\n\n     \xe2\x80\xa2 When incentive problems lead to under\n       provisioning of critical shared resources;\n\n     \xe2\x80\xa2 In raising awareness.\n30\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n                                       Catalyst for Environmental Improvement\n\n\n\n\n                       Agenda\n           1. What is SCADA?\n           2. SCADA Vulnerabilities\n           3. Federal Directives\n           4. Current Status\n\n\n31\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n\n                                       Current Status\n     \xe2\x80\xa2 Utility VA\xe2\x80\x99s completed/due (copies in EPA vault.)\n     \xe2\x80\xa2 Large & mid-sized utility ERP\xe2\x80\x99s complete/due,\n       small size due at year end.\n     \xe2\x80\xa2 DHS begun SCADA focus in May 2004.\n       (Seeking ideas on how to best approach SCADA)\n     \xe2\x80\xa2 EPA beginning SCADA work through\n       WERF et al.\n     \xe2\x80\xa2 OIG handing-off SCADA project to EPA\n32\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n\n                                       Current Status\n     \xe2\x80\xa2 Utility VA\xe2\x80\x99s completed/due (copies in EPA vault.)\n     \xe2\x80\xa2 Large & mid-sized utility ERP\xe2\x80\x99s complete/due,\n       small size due at year end.\n     \xe2\x80\xa2 DHS begun SCADA focus in May 2004.\n       (Seeking ideas on how to best approach SCADA)\n     \xe2\x80\xa2 EPA beginning SCADA work through\n       WERF et al.\n     \xe2\x80\xa2 OIG handing-off SCADA project to EPA\n33\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n     Water Utility VAs and ERPs are either completed or almost due.\n                                                   Schedule under the Bioterrorism Act\n                                                                     Certify\n                                        Certify and submit\n                                         Vulnerability             Emergency\n           Systems serving\n                                           Assessment            Response Plan\n            population of:\n                                                by:             within 6 months of\n                                                               VA but no later than:\n\n      100,000 or greater               March 31, 2003         September 30, 2003\n\n      50,000 - 99,999                  December 31, 2003 June 30, 2004\n\n      3,301 \xe2\x80\x93 49,999                   June 30, 2004          December 31, 2004\n\n34\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n\n                                       Current Status\n     \xe2\x80\xa2 Utility VA\xe2\x80\x99s completed/due (copies in EPA vault.)\n\n     \xe2\x80\xa2 Large & mid-sized utility ERP\xe2\x80\x99s complete/due,\n       small size due at year end.\n\n     \xe2\x80\xa2 DHS begun SCADA focus in May 2004.\n       (Seeking ideas on how to best approach SCADA)\n\n     \xe2\x80\xa2 EPA beginning SCADA work through\n       WERF et al.\n\n     \xe2\x80\xa2 OIG handing-off SCADA project to EPA\n35\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n\n                                       DHS, in coordination with the\n                                       Department of Energy and other\n                                       concerned agencies, will work in\n                                       partnership with private industry to\n                                       ensure that there is broad\n                                       awareness among industry vendors\n                                       and users, both regulated and\n                                       unregulated, of the vulnerabilities\n                                       in DCS/SCADA systems, and the\n                                       consequences of exploitation of\n                                       those vulnerabilities.\n\n\nOn May 2004, DHS formed a team to address cyber security\n   concerns, including individuals focusing on SCADA.\n36\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n\n     \xe2\x80\x9cFOIA, antitrust & liability          \xe2\x80\x9cProtected Critical\n      laws represent barriers to       Infrastructure Information\n           public-private                 (PCII) protection.\xe2\x80\x9d(p.2)\n          cooperation.\xe2\x80\x9d(p.2)\n37\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n\n                                       Current Status\n     \xe2\x80\xa2 Utility VA\xe2\x80\x99s completed/due (copies in EPA vault.)\n\n     \xe2\x80\xa2 Large & mid-sized utility ERP\xe2\x80\x99s complete/due,\n       small size due at year end.\n\n     \xe2\x80\xa2 DHS begun SCADA focus in May 2004.\n       (Seeking ideas on how to best approach SCADA)\n\n     \xe2\x80\xa2 EPA beginning SCADA work through\n       WERF et al.\n\n38\n     \xe2\x80\xa2 OIG handing-off SCADA project to EPA\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n EPA awarded $2.1 million to WERF, including $250k for SCADA research.\n WERF awarded almost $300,000 to EMA, Inc. to conduct the SCADA research.\n\n\n\n\n39\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n\n                                       Current Status\n     \xe2\x80\xa2 Utility VA\xe2\x80\x99s completed/due (copies in EPA vault.)\n\n     \xe2\x80\xa2 Large & mid-sized utility ERP\xe2\x80\x99s complete/due,\n       small size due at year end.\n\n     \xe2\x80\xa2 DHS begun SCADA focus in May 2004.\n       (Seeking ideas on how to best approach SCADA)\n\n     \xe2\x80\xa2 EPA beginning SCADA work through\n       WERF et al.\n\n     \xe2\x80\xa2 OIG handing-off SCADA project to EPA\n40\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n        What barriers, if any, prevent water systems from\n      successfully securing known SCADA vulnerabilities?\n      \xe2\x80\xa2 Determine specific SCADA vulnerabilities identified\n        by water systems and others.\n      \xe2\x80\xa2 Determine if identified vulnerabilities are being\n        adequately addressed.\n\n      \xe2\x80\xa2 Determine the reasons behind impediments where\n        water systems cannot successfully reduce or mitigate\n        identified vulnerabilities.\n\n       \xe2\x80\xa2 Determine actions EPA can take to remove\n41\n         impediments.                                       Planning: Overview\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n\n          What barriers, if any, prevent water systems from\n        successfully securing known SCADA vulnerabilities?\n           Goal 1\n          Identify\n       Vulnerabilities\n        Critical #1\n\n          Critical #2\n\n        Common #1\n\n        Common #2\n\n42                                                      Planning: Overview\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n\n                                            Common\n                                          Vulnerabilities\n                          Focus efforts\n                                           Critical areas\n\n\n                                          Water Sector\n                                            specific\n                                       General in nature\n43\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n          What barriers, if any, prevent water systems from\n        successfully securing known SCADA vulnerabilities?\n           Goal 1                       Goal 2        Goal 3         Goal 4\n          Identify                     Adequately    Why not?    EPA Response\n       Vulnerabilities                 Addressed?        .              .\n        Critical #1                       No        Reason 1    Response 1\n                                                    Reason 2    Response 2\n          Critical #2                     Yes          N/A            N/A\n\n        Common #1                         Yes          N/A            N/A\n\n        Common #2                         No        Reason 1    Response 3\n                                                    Reason 2    Response 4\n                                                    Reason 3    Alert DHS/other\n44                                                                          Planning: Overview\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n                      Identify\n                                               Goal 1\n         Start                                 Determine Specific SCADA\n                   vulnerabilities.\n                                               vulnerabilities identified by water\n                                               systems and others.\n                         Is\n                    vulnerability\n                                                Goal 2\n                                   Yes         Determine if identified\n                  being adequately       End\n                     addressed?                vulnerabilities are being\n                                               adequately addressed.\n                             No\n                                               Goal 3\n                                               Determine the impediments behind\n                   Determine why.\n                     (What is the              instances where utilities cannot\n                    impediment?)               successfully reduce or mitigate\n                                               identified vulnerabilities.\n                                               Goal 4\n                    EPA response               Determine actions EPA can take to\n                                               remove the impediments.\n45\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n\n\n                      Identify\n         Start\n                   vulnerabilities.\n                                             Other Matters\n                         Is                     Measure\n                    vulnerability            Effect / Impact\n                                       Yes\n                  being adequately           of water system   End\n                     addressed?                 Efforts &\n                                              EPA response\n                             No\n\n                   Determine why.      We encourage EPA to look for ways\n                     (What is the       to measure the extent to which:\n                    impediment?)\n                                          (1) water system efforts and\n                                          (2) EPA response\n                    EPA response          increased security.\n46\n\x0c     Environmental Protection Agency\n       Office of Inspector General\n\n                                       Catalyst for Environmental Improvement\n\n\n\n\n     For questions contact:\n     Ricardo Martinez                    (212) 637-3045\n     Andrew McLaughlin (202) 566-2591\n\n\n\n\n47\n\x0c"